Malware deliver keylogger and crypto currency miner on WordPress

February 2, 2018

On January 29, 2018, Security Researcher at Sucuri discovered sites running WordPress have been infected with a malware that deliver both keylogger and crypto currency miner.

Wordpress Keylogger

Affected Software:

Outdated and poorly configured WordPress and Server software including third-party themes and plugins.

Impact:

Users will experience slow performance when visiting the compromised website.

Cryptocurrency miner running on the background will be taking up 60% or more of the CPU’s resources.

Keylogger will capture password and other confidential information.

Recommendations:

For Users:

Netpluz recommends end users to install antivirus tools, such as Sophos Endpoint which can prevent malicious process that allow the cryptocurrency mining to proceed and ability to block or selectively allow adware and other Potentially Unwanted Applications (PUAs).

For System Administrators:

  1. Identify and remove the malicious scripts from their WordPress website:

Examples of identified malicious scripts include:

  • hxxps://cdjs.online/lib.js?ver=…
  • hxxps://cdns.ws/lib/googleanalytics.js?ver=…
  • hxxps://msdns.online/lib/mnngldr.js?ver=…
  • hxxps://msdns.online/lib/klldr.js
  1. Change all WordPress passwords
  2. Update all server software including third-party themes and plugins